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Abstract 

Functions with low differential uniformity can be used as the s-boxes 
of symmetric cryptosystems as they have good resistance to differential 
attacks. The AES (Advanced Encryption Standard) uses a differentially- 
4 uniform function called the inverse function. Any function used in a 
symmetric cryptosystem should be a permutation. Also, it is required 
that the function is highly nonlinear so that it is resistant to Matsui's 
linear attack. In this article we demonstrate that the highly nonlinear 
permutation f(x) — x 2 +2 +1 , discovered by Hans Dobbertin [7], has 
differential uniformity of four and hence, with respect to differential and 
linear cryptanalysis, is just as suitable for use in a symmetric cryptosystem 
as the inverse function. 

1 Introduction 

Functions with a low differential uniformity are interesting from the point of 
view of cryptography as they provide good resistance to differential attacks [TT] . 
For a function to be used as an s-box of a symmetric cryptosystem it should 
be a permutation and defined on a field with even degree. It is also essential 
that the function has high nonlinearity so that it is resistant to Matsui's linear 
attack [10] . The lowest possible differential uniformity is 2 and functions with 
this property are called APN (almost perfect nonlinear). There has been much 
recent work and progress on APN functions (see [2] , [3] , [I] , [5] , [5] ) • However, at 
present there are no known APN permutations defined on fields of even degree 
and it is actually the most important open question in this field if such functions 
exist. This is why the AES (advanced encryption standard) uses a differentially 
4 uniform function, namely the inverse function. 
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For the rest of the paper, let L = F 2 >> for n > and let L* denote the set of 
non-zero elements of L. Let Tr : L — > F2 denote the trace map from L to F2. 
For positive integers r, k by Tr£ fe we denote the relative trace map from F 2 rfc to 
F 2 k and by Tr r the absolute trace from F 2 r to F 2 . 

Definition 1 A function f : L — > L* is said to be differentially S uniform, if 
for any a G L*,b G L, we have 

\{x G L : f(x + a) + f(x) = b}\ < 6. 

Definition 2 Given a function f : L — > L, the Fourier transform of f is the 

function f : L x L* — > Z given by 

f(a,b) = ^2(-l) TT ^ ax+b ^. 



The Fourier spectrum of / is the set of integers 

A f = {f(a,b):a,beL,b^O}. 
The nonlinearity of a function / on a field L — F 2 n is defined as 

NL(f) := 2"- 1 - ~ max 

The nonlinearity of a function measures its distance to the set of all affinc 
maps on L. We thus call a function maximally nonlinear if its nonlinearity is as 
large as possible. If n is odd, its nonlinearity is upper-bounded by 2 n_1 — 2~3", 
while for n even a conjectured upper bound is 2"~ 1 — 2"? . For odd n, we say 
that a function / : L — > L is almost bent (AB) when its Fourier spectrum is 
{0,±2t-}, in which case it is clear from the upper bound that / is maximally 
nonlinear. 

In an article of Hans Dobbertin |7j he offers a list of power mappings that 
permute fields of even degree and meet the conjectured nonlinearity bound of 
2«-i _ 2 2" 1 . Following Dobbertin's terminology we shall refer to such mapping 
as highly nonlinear permutations. In 7J Dobbertin conjectured that this list 
was complete and noted that this had been verified for n < 22. The inverse 
function (used in AES) is highly nonlinear and hence is on the list. One of the 
functions on Dobbertin's list is the power mapping f(x) = x 2 + 2 +\ defined 
on F 2 4t , with k odd. 

In this article we show that this function has differential uniformity of 4. We 
also provide another proof of this functions nonlinearity property. This means 
that this function has the same resistance to both the linear and differential 
attacks as the inverse function. 
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2 Differential Uniformity of f(x) = x 2 +2 +1 

As mentioned above there are no known permutations of even degree fields with 
differential uniformity of two. The following theorem shows that x 2 +2 +1 has 
the next best (and best known) differential uniformity, which is four. 

Theorem 1 Let f(x) — x 22k+2k+1 be defined on F 2 4fc. Then fix) has differen- 
tial uniformity of four. 

Proof. We need to demonstrate that the equation 

x 22k+2k+1 + (x + af k+2k+1 = b 

has no more than four solutions for all a £ F 2 4fc * and all b 6 F 2 4* . 
Expansion of this expression yields 

2 2k +2 k , 2 k 2 2k +l , 2 2k 2 k + l , 2 fc + l 2 2k , 2 2k + 1 2 k , 2 2k +2 k , 2 2k +2 k + 1 u 

ax +a x +a x +a T x +a x +a T x+a T T = o. 

Next we replace x with xa and divide by a 2 + 2 + 1 and obtain 

2 2k +2 k 2 2k + l i 2 k + l , 2 2k , 2 k 



+ x 2 +x 2 +X + C = (1) 



where c = a 22k 2k 1 b+l 



Let Tr^ fc denote the relative trace map from F 2 4k to F 2 f= . 
As Tr 4 k k (x 22k+2k + x 22k+1 + x 2 " +1 + x 22 " + x 2 ") = 0, Equation <fXJ) implies 

k 

k 



Trf(x + c)=0 



Which is equivalent to 

x + x 2 + x A + x 2 = t (2) 

where t = Tr^ fc (c). We note that t E W 2 » . 
Equation (Q]) now becomes 

x(x 2 +x 2 )+x 2 +2 +x 2 +t + c = 0. 

Which implies 

x(x + x 2 + t) + x 2 +I + x 2 +t + c = 0. 
From which we obtain 

x 2 +x 2 ' ik+1 +xt + x 22k+2 " +x 2 ' ik +t + c = 0. (3) 
We raise Equation by 2 2k and get 

x 2 + x 2 + 2 + x 2 t + x 2 +1 + x 2 + t + c 2 = 0. (4) 
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Now we add Equations ([3]) and ^ and make use of @ . This gives 

(x + x 22k ) 2 + {t + l)(x + x 22k ) + c 2k +c 23k = 0. (5) 

The remainder of the proof is divided into two cases. They are t = 1 and t ^ 1. 
If t = 1 then Equation (JSJ) implies 

cj2k tjfc — 1 t)3fc — 1 

.T -|- X =C Z +C 2 

We let r = c 2 +c 2 . Therefore a; 2 — x + r. Placing this into Equation 
(P) yields 

(x + r)x 2k + (x + r)x + x 2k+1 + x 2> ~ + c + r = 0. 
Which we write as 

x 2 + r(x + x 2 ) + x 2 + r + c — 0. (6) 

Raising Equation © by 2 fe we obtain 

x 2 " +1 +r 2 "(x 2k +x + r)+x + r + r 2k +c 2 " = 0. (7) 

Next we add Equations ([6]) and ([7]) to get 

(x + x 2 " ) 2 + {r + r 2 " +l){x + x 2k ) + r 2k+1 +C + C 2 " + r 2 " = 0. (8) 

Note that r + r 2 ^ = x + x 2 ^ + x 22k + x 2 ^ = t, hence if t = 1 Equation (jHJ) 
becomes 

(x + x 2k ) 2 +r 2k+1 +c + c k +r 2k =0. 

This implies x + x 2 = s where s = \J r 2k+1 + c + c k + r 2k . Now we replace x 2 
by x + s in Equation ([5]) and obtain 

x 2 + x + rs + s + r + c = 0, 

which can have no more than two solutions in x. 
Next we consider the case t ^ 1. 
We replace x with (t + l)z in Equation ([5]) and get 

(t + l) 2 ((z + z 2 ") 2 + (z + z 22k )) + c 2k + c 23fc = 0. 

Now let y = z + z 22k so we have 

(t + l)V+y) + c 2fc +c 2 " -0. 

This equation has at most two solutions in y. They are of the form y = p and 
y = p + 1 for some fixed p. This implies that z 2 = z + p or z 2 = z + p + 1. 
Note that p € . 
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If z 2 = z + p then Equation ([TJ) becomes 

{t + l) 2 ((z+p)z 2k + {z+p)z + z 2k+1 ) + {t + l){z 2k +p) + c = 1 
which gives 

(t + lf{{z + z 2k )p + z 2 ) + (t + \){z 2k +p) + c = 0. (9) 
We raise Equation ([9]) by 2 k and obtain 

(t+l) 2 ((z + z 2 ' +p)p 2 " +z 2k+1 ) + (t + l)(z+p + p 2k ) + c 2k = 0.(10) 
Next we add Equations © and (fit)]) to get 

{t+l) 2 {(p+p 2k )(z + z 2k ) + (z + z 2k ) 2 +p 2k+1 ) + (t+l)(z + z 2k +p 2k )+c+c 2k = 0, 

which becomes 

(t + l) 2 (z + z 2 ") 2 + ((* + l) 2 (p + p 2k ) + (t + l))(z + z 2 ") 

+ (t + l) 2 p 2k+1 + (t + l)p 2 " +c + c 2 " = 0. (11) 

Recall t = x + x 2 " + x 2 "" + x 2 "" =(t + l)(z + z 2 " + z 2 ^ + z 2 '^). 

, rj k ryk cj 2 fc r\3k r\k 4. 

Alsop + p = z + z z + z z + z z , hence p + p = JTT- 
Therefore Equation (fTTj) becomes 

(t + lf((z + z 2 ") 2 + (z + z 2 ")) + (t + lfp 2k+1 

+ {t + l)p 2 " +c + c 2 " = 0. (12) 

It can easily be verified that if we had assumed z 2 ^ = z + p + 1 then the 
same computations as above would also yield Equation (fT2"]) , so this case need 
not be considered. 

Next we let z + z 2 = w and write Equation (fT2"|) as 

(t + l) 2 (w 2 + w) + (t + 1) 2 p 2 " +1 + (t + l)p 2k + c + c 2 " = 0. 

This equation has at most two solutions in w which take the form w = q and 
w = q + 1 for some fixed q. 

This implies that z 2 — z + q or z 2 = z + q + 1. 

Hz 2 = z + q then z 2 = z + q + q 2 and Equation |T]) becomes 

(t + l) 2 ((z + q + q 2 " ){z + q) + (z + q + q 2 ")z + (z + q)z) + (t + 1) (z + q 2 " ) + c = 0. 
This simplifies to 

(t + l) 2 z 2 + (t + l)z + (t + l) 2 ( 9 2fc+1 + g 2 ) + (t + l)q 2 " + c = 0, 
which is the same as 

x 2 + x + (t + \) 2 {q 2 " + 1 + q 2 ) + (t+ l)q 2 " + c = 0. 
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If on the other hand z 2 = z + q + 1, then we would obtain 

X 2 + X + (t + lf{q 2k + 1 + q 2 " +q 2 +q) + (t + \){q + l) 2 " + c = 0. 

Clearly, this pair of equations will allow no more than four solutions in x and 
the proof is complete. □ 

Note that we did not need to assume that k is odd to derive the differential 
uniformity of four, however it is easy to see that the function is not a permutation 
if k is even as g.c.d.(2 ik — 1, 2 2fc + 2 k + 1) = 1 if and only if k is odd. 



3 Nonlinearity of f(x) = x 22k+2k+1 

In this section we give a slightly different proof of the fact that x 22k+2> " +1 has 
NL(/) = 2 n_1 — 2a" -1 . Most importantly, our proof also covers the case where 
the function is not a permutation, i.e., when k is even. 

Technically, the main difference to Dobbertin's proof in [7] is that we are not 
going to use an F 2 t basis of F 2 4t to express elements in F 2 4t but rather a F 2 2t 
basis. This change makes some of the "lengthy but routine" computations, as 
Dobbertin states it, easier. 

Theorem 2 Let f(x) = x 22k+2k+1 be defined on F 2 4k . Then 

NL(/) = 2 n_1 -2* -1 . 

Proof. We have to show that for any non-zero b and any a the absolute value 
of the Fourier coefficient f(a,b) is smaller or equal to 2 2fe+1 . There are two 
cases to consider. If k is odd, then / is a bijection and it is therefore enough to 
study the case 6 = 1. If k is even, then gcd(2 2fc + 2 k + 1, 2 4fc - 1) = 3 and up 
to equivalence there are two different b to consider, namely the case b — 1 and 
b any non-cube. Here we remark that in the case k even we can always choose 
a non cube in F 2 fc with out loss of generality. Thus, in both cases it is enough 
to study b £ F 2 r. Moreover, we can restrict the case to elements b G F 2 t such 
that Tr fc 0) = 1. 

Let 7 be any non-zero element in F 2 k such that Tr fe (7) = 1. For simplicity 
we denote by g^f^x) = Tr(7 2 x 2 +2 +1 ) (we use 7 2 instead of 7 to avoid dealing 
with square roots later on) . Furthermore, let a £ F 2 2fo be an element fulfilling 
the equation a 2 + 7a + 7 3 = 0. As Tr fc (7) = 1 the polynomial a 2 + a + 7 = is 
irreducible over F 2 fc and by replacing a by «7 _1 and multiplying across by 7 2 
we see that the polynomial a 2 + 7a + 7 3 = is irreducible as well. Therefore 
a F 2 k and furthermore it holds that a 2 +0 = 7. Thus, 

Tr 2fe (a) = Tr fc (a 2fc + a) = Tv k ( 1 ) = 1. 
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This implies that the polynomial x 2 + x + a is irreducible over F 2 2fc and finally 
every element in F 2 4f= can be represented by y + u>a, where y, a G F 2 2fc and 
u) e F 2 4fc with J 1 + ui + a = 0. Using this expression for x we compute 

,g 7 2 (x) = g 7 2 (y + ua) 

= Tr( 7 2 (y + ^) 22fc + 2fc+1 ) 

= Tr^ 2 /^ 2 ^ 1 ) 

+ Tr( 7 2 ( y 22fc + 2fc (ca) + y 22fc + 1 (ca) 2fc +y 2fc + 1 M) 22fc )) 
+ Tr( 7 2 (y 22fc {uaf^ + y 2 " (uaf"* 1 + v(u,af"+* )) 
+ Tv{ 1 2 {uaf k+2k + 1 ) 

= A + B + C + D. 

First we note that A = as 7 2 and y arc in F 2 2fc. Furthermore B can be 
simplified, 

B = Tr( 7 2 y 2fc + 1 (ca)+ 7 V(ca) 2fe + 7 V fc+1 (ca) 22fe ) 

= ir^Z+HM) + l^f k ) + 7 V( wa ) 2fc ) 

= Tr( 7 V(^f). 

where the last equality follows as j 2 y 2k+1 ((uja) + (uja) 22k ) is in F 2 2fc. Now 
consider the term C. We first remark that 7 2 j/ 2 (ua) 2 +1 is in the subfield 
F 2 2fc and thus 

C = +Tr( 7 2 (y 22fc (ca) 2fc+1 + y(uaf k+2k )) 
= Trtfy^af^ + ^af^)). 

Therefore 

g( x ) = g(y + ua) 

= Tr(y ( 7 H 2 " + 7 2 M) 2fc+1 + 7 2 W 22k+2 ') + y 2 {u>af +2k+1 ). 

The important observation is that this expression is linear in y. Thus, the func- 
tion belongs to the generalized Maiorana McFarland type of functions. Next, 
we compute an expression of g using the absolute trace on F 2 2t denoted by Tr 2fe . 
For this we make use of the following equations 

uj + uj 2 =1 

and 

uj 2 2k +2 k +l _|_ ^2 2fe +2 fc +l-j2 2fc _ a 

that follow from the fact that the two solutions of 

x 2 + x + a = 
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2 2k 

are u> and u . 

g(y + iua) = Tr 2k {y (^a 2 ^ 1 {u + + ^{aiuj + ^ k )f +1 )) 

+ Tr 2fc^2 a 2 2fc +2 fc + 1^2 2fc + 2 fc + l + ^2 2fc +2 fe + l-j2 2fc ^ 
2k/ ( 2 fc_1 i 2 2 fe + l\ , 2 2 fc +2\ 

= Tr (y I 7a +7 a J +arfo J. 

From now on the proof continues very much like Dobbertin's original proof. We 
denote by n(y) = (-l)^ 2 ^) and 

n(a) = ja 2 ^ 1 + ^ 2 a 2 " +1 . 

We compute 

g(u + ujv) = ^ /J,(yn(a) + aj 2 a 2 +2 + uy + va) 

yMEW 2 2k 

= M a 7 2 a 2fc+2 + va) V-(y(A a ) + u )) 

a y 

= 2 2k Y M«7V t+2 + ™). 

a,7r(a)—u 

For any u we have to study the set M = {a \ ir(a) = u} and in particular its 
possible size. First note that 

w(a) = ir(a + c) 

implies 

= 7r(o) + n(a + c) + (ir(a) + ir(a + c)f k 
= 7 (c 2 + c 2 ) 

= 7 ( C + C 2fc ) 2 ^ 

and we conclude c s F 2 f. . Therefore, we can equivalently study the set 

{c 2 e F 2 * I 7r(a + c 2 ) = u) 

where ao is an element in M. Note that we use c 2 instead of c to get rid of the 
power 2 fe ~ 1 . Considering the equation 

7r(a ) + 7r(a + (?) = 

we get the following equation for c 

c i + {af +a )c 2 + 1 - 1 c = (13) 

which immediately implies \M\ e {0, 1,2,4}. As (#)(u + uw) < 2 2fc |M| the only 
case we need to care about for proving the theorem is the case \M\ = 4. In this 
case the set M consists of elements 

M = {a , a + c , a + C\, a + c + Ci} 
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where cq, ci are solutions of (TlU]) and thus cqC\{cq + c\) = 7 . Next we compute 
Tr 2k ( ai 2 a 2k+2 + va) = T? k { ai 2 {af +2 + (a„ + c ) 2 * +2 

+ (a + Cl ) 2fc+2 + (ao + C o + c 1 ) 2fc + 2 )) 

= Tr 2fc (a 7 2 (coc 2 + c lC 2 )) 
= Tr 2fc (a 7 2 (coCi(co + ci))) 
= Tr 2fc (a7) 

= Tr fe ( 7 (a + a 2fc )) 
= Tr fe ( 7 2 ) = 1 

which implies 

g(u + ojv) = H{aa 2k+2 + va) = ±2 2k+1 . 

□ 



4 Closing Remarks and Open Problems 

We have demonstrated that the function f(x) = x 22k+2k+1 has the same re- 
sistance to both differential and linear attacks as the inverse function. The 
fact that it can permute the field when k is odd means it could be used in a 
cryptosystem acting on 12 bits. We now list all the known highly nonlinear per- 
mutations with differential uniformity of 4. For power mappings we conjecture 
this list to be complete. 



f(x) 


Conditions 


Ref. 


x r+l 


n = 2k, k odd 
gcd(n, s) = 2 





X 2 2s -2 S +1 


n = 2k, k odd 
gcd(n, s) = 2 


m 




n even 


m 


x 2 2k +2 k + l 


n = Ak, k odd 


This article 
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Open Problem 1 Find more highly nonlinear permutations of even degree 
fields with differential uniformity of 4- 

Open Problem 2 Find a function, defined on a field of even degree, with 
higher nonlinearity than 2 n ~ 1 — 2'3'~ 1 or prove that such a function can't ex- 
ist. 
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